Where does ISPConfig expect to see server and private kys

This has probably been done before, but I can't do a search because the adverts are totally blocking the search function (FF on Deb Etch <edit>sorry, it's on Ubuntu current version, it's my server which is on Etch</edit>).

Would someone please tell me where ISPConfig would expect to find the server and private keys, respectively, on an SSL enabled domain on an Etch server? Then I can set up the VHosts configuration properly.

While I'm a Cacert assurer as well, it's a while since I've done this, as I use a homebrew multidomain on 1 IP setup.
The ISPConfig technique, is that you take the Certificate and paste it into the text box provided for the site under the SSL tab that appears when you enable SSL.
I just have a nasty suspicion that you should use a CSR generated in the same place (the SSL tab) for the certificate generation. i.e. generate the signing request there, and cut and paste that into the CaCert form.
ISPConfig then parks the certificate in the correct place for the site, and sets up the paths etc for the secure connection in the Vhosts file.
Thinking about that, that probably takes care of the key, as the ISPConfig key is used to generate the CSR.
You may need to grab the CaCert certificate chain file as well and put it in the ssl folder.

Thanks, once again chuckl. I've never done a ssl cert before. I'm trying to help a few people get into business online so would like to learn my way around alll this and become a CAcert assurer myself.

Perhaps I should go back into the CAcert site and cancel the one I generated, then redo the request via ISPConfig?

I would definitely suggest that, yes. Generate a CSR in ISPConfig for that site, and cut and paste into an editor. Head for Cacert, cancel the existing one and reissue with the ISPConfig generated CSR, then when the cert arrives, paste into the site SSL tab field.

To create a SSL cert in ISPConfig, enter the details for the SSL cert in the fields on the ssl tab and leave the fields ssl-request and ssl-cert empty. Then select "Create" as acrion in the action box and click on the save button. Now wait abaout a minute and you have a working SSL setup with fresh self signed certificates created by ISPconfig.

Thanks, till, but I don't want a self-signed certificate. I want a CAcert signed certificate. What I need to generate at this time is the request.

Click to expand...

What I described above is the procedure to create the request

You take the request that has been created by ISPConfig, sign it at cacert and put the certificate that you got from cacert into the certificate field. Then select "save" as action and click on the save button.

So, SSL Cert added, all looks to be in the right place. However, now getting a strange error message when trying to bring up the site or the admin section (it's not called admin any more) with https:// on a site with Zen Cart as its only content. I need to know whether the peoblem is generated by ISPConfig, Zen Cart, the CAcert or some combination. The error message is:

Playing with Zen Cart as well ! thats definitely compounding the felony.

When you say 'bringing it up with https, do you mean simply using https in the url rather than http, or that you are going to the user login/signup page or admin login, where it should automatically switch to https?

It should work either way, but it can get tricky on some setups. The -12263 is a nasty as well. Means - I'm not happy with the data I'm getting.

Could I suggest copy and back up your caCert stuff, then use the ISPConfig ssl page to generate a self signed certificate from the CSR, as Till described earlier in the thread, and test with that?
It'll give the usual bloodthirsty warnings, but it's fine for testing to see if it gives a similar error.

Same result. Also, ISPConfig is reluctant to generate anything. A couple of times now I've had to delete a private key only and go back in to get a certificate and a request.

What next? Do a full Zen Cart reinstall with the (CA)cert already in place? That's several hours of installation and reconfiguration, but if it gets the thing working? I could be just as long trying to work out what's wrong here and still end up with the same conclusion, I suppose.

I think the original idea was that the ENABLE_SSL would only enable it for the payment modules, ENABLE_SSL_CATALOG does it for login and any other 'sensitive' areas after login, as well as payment. I'd have to check the code to be sure.

The other gotcha area with SSL is if you have Suexec or SuPHP enabled, they can play havoc with things if all is not perfect.